I am attempting to forward http requests to my external interface, from internal machines to a machine that is located on the internal interface, via the firewall rules. Externally, I am able to forward the port to the webserver located behind the firewall, and I want to use the same hostname/ip for clients if they are on both sides of the firewall. Note, that I only want to do just the one port, so I do not want to loopback all the requests. I tried to add this to the rules: DNAT loc loc:192.168.2.96 tcp 80 But this is the result in the log file Feb 25 11:07:05 yo2 kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.226 DST=192.168.2.96 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=21932 DF PROTO=TCP SPT=51093 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
spam@tachegroup.com wrote:> I am attempting to forward http requests to my external interface, from > internal machines to a machine that is located on the internal interface, > via the firewall rules. Externally, I am able to forward the port to the > webserver located behind the firewall, and I want to use the same > hostname/ip for clients if they are on both sides of the firewall. > > Note, that I only want to do just the one port, so I do not want to > loopback all the requests. > > I tried to add this to the rules: > > DNAT loc loc:192.168.2.96 tcp 80 > > But this is the result in the log file > > Feb 25 11:07:05 yo2 kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 > SRC=192.168.2.226 DST=192.168.2.96 LEN=60 TOS=0x00 PREC=0x00 TTL=63 > ID=21932 DF PROTO=TCP SPT=51093 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0This is Shorewall FAQ #2! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Yes I know, I read that, but the example states "all loc->loc traffic", while I just want www and only www to be rerouted. On Feb 25, 2005, at 11:41 AM, Tom Eastep wrote:> spam@tachegroup.com wrote: >> I am attempting to forward http requests to my external interface, >> from >> internal machines to a machine that is located on the internal >> interface, >> via the firewall rules. Externally, I am able to forward the port to >> the >> webserver located behind the firewall, and I want to use the same >> hostname/ip for clients if they are on both sides of the firewall. >> >> Note, that I only want to do just the one port, so I do not want to >> loopback all the requests. >> >> I tried to add this to the rules: >> >> DNAT loc loc:192.168.2.96 tcp 80 >> >> But this is the result in the log file >> >> Feb 25 11:07:05 yo2 kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 >> SRC=192.168.2.226 DST=192.168.2.96 LEN=60 TOS=0x00 PREC=0x00 TTL=63 >> ID=21932 DF PROTO=TCP SPT=51093 DPT=80 WINDOW=65535 RES=0x00 SYN >> URGP=0 > > This is Shorewall FAQ #2! > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
TGS wrote:> Yes I know, I read that, but the example states "all loc->loc traffic", > while I just want www and only www to be rerouted. >What that is trying to say is that any traffic you redirect (IN YOUR CASE, WWW ONLY) will look like it comes from the firewall rather than the origining client. It is a horrible, hacky approach which is why I don''t recommend it. And, before you ask, no other firewall will do any better -- it is a consequence of the way that IP works. -Tp, -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Yes, rather hackish, i do agree. But I need to do something in a pinch, and not for long term. Thanks for the help. On Feb 25, 2005, at 8:12 PM, Tom Eastep wrote:> TGS wrote: >> Yes I know, I read that, but the example states "all loc->loc >> traffic", >> while I just want www and only www to be rerouted. >> > > What that is trying to say is that any traffic you redirect (IN YOUR > CASE, WWW ONLY) will look like it comes from the firewall rather than > the origining client. It is a horrible, hacky approach which is why I > don''t recommend it. > > And, before you ask, no other firewall will do any better -- it is a > consequence of the way that IP works. > > -Tp, > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >